Governance, Risk

Position Overview
We are seeking a Governance, Risk & Compliance (GRC) Analyst to join our GRC team on a temporary contract through December 2026. This role has the potential to transition to full-time based on performance, business needs, and mutual fit.

This entry-level role is ideal for someone with foundational security experience looking to grow in a supportive, mentorship-driven environment. The focus is on learning to make thoughtful, risk-based security recommendations rather than following one-size-fits-all or checklist-driven controls. You will work closely with Senior Advisors and the security engineering team to understand client environments, assess risk in context, and support practical, business-aligned security outcomes. The role is not initially client-facing but provides a structured path toward independent advisory work over time.

Disclosure: This job posting is for an existing vacancy currently available for immediate hire.

Key Responsibilities
Client GRC Support (Mentored)

• Attend live client calls with Senior Advisors or review recorded sessions to build exposure to real-world engagements
• Draft initial threat and risk assessment (TRA) and tabletop exercise reports, supporting workbooks, and documentation based on advisor-led interviews
• Review client-provided documentation and evidence to identify gaps, inconsistencies, or weak controls
• Learn and apply structured interview techniques for TRAs, tabletop exercises, and gap analyses
• Support compliance initiatives across multiple frameworks, including ISO 27001, SOC 2, NIST CSF, HIPAA, and PCI DSS
• Develop the ability to translate framework requirements into practical, risk-based recommendations aligned to client business context.

Compliance Monitoring

• Develop subject matter expertise in our GRC platform and perform monthly reviews of client compliance controls and supporting evidence
• Identify missing, weak, or outdated evidence and flag areas of elevated risk
• Highlight issues requiring Senior Advisor follow-up during client review calls
• Track control effectiveness over time and highlight issues requiring Senior Advisor follow-up
• Monitor internal compliance posture using the GRC platform and support continuous improvement efforts

Policy and Documentation Development

• Draft and maintain information security policies, procedures, and supporting documentation for client and internal use
• Ensure documentation aligns with regulatory requirements while remaining practical, scalable, and risk-informed
• Collaborate with Senior Advisors and security teams to document incident response procedures, workflows, and assessment findings
• Translate technical security concepts into clear, accessible language for diverse stakeholders
• Contribute to the improvement of documentation templates, reporting standards, and internal knowledge bases

Internal Information Security

• Lead quarterly access reviews
• Compile and maintain evidence for third-party vendor reviews conducted annually or following significant changes
• Track and forecast upcoming evidence expirations and compliance milestones
• Escalate identified gaps or risks to the internal information security working group for remediation planning

Required Qualifications

• 1–3 years of experience in information security, IT, risk, compliance, or a related field
• Foundational understanding of information security principles and risk management concepts
• Strong written and technical communication skills with the ability to produce clear, structured documentation
• High attention to detail and comfort reviewing technical and non-technical evidence
• Willingness to learn security frameworks, assessment techniques, and compliance tooling
• Critical thinking and sound judgment in evaluating risk, beyond checklist-based controls
• Demonstrated expertise in Microsoft Office (Excel, Word, PowerPoint) for analysis, reporting, and documentation
• Eligible to work in Canada for the duration of the contract

Preferred Qualifications (not Required)

• Exposure to ISO 27001, SOC 2, NIST CSF, HIPAA, or similar frameworks
• Experience with GRC platforms such as Vanta, Drata, Secureframe, or equivalent
• Academic or practical experience with audits, assessments, or risk analysis
• Interest in long-term growth within GRC, advisory services, or security leadership

Sample Career Progression
During the contract period, you will support Senior Advisors, draft reports and assessments, review client evidence, and learn to assess risk in context while building familiarity with security frameworks and the GRC platform. If transitioned to full-time, you will take on greater responsibility by leading portions of assessments, making risk-based recommendations, drafting policies, and serving as a resource for GRC tooling and compliance. Over time, you will independently conduct assessments, provide clear risk guidance, mentor junior analysts, and help improve both client and internal security programs.

About Lyrical Security
Lyrical Security is a fast-growing Cybersecurity and Risk Management Services company, based in Markham, Ontario with employees located across Canada in a fully remote operating model.

Lyrical brings enterprise solutions to companies of all sizes across North America, helping our customers to protect their most critical assets with resilient cyber security and risk management technology and services. We dig deeper to understand our customer's needs and tailor solutions to detect, respond, and prevent security incidents ahead of the threat while maintaining compliance with best practices. Customers across North America trust our Managed, Advisory, Professional, and Offensive Security Services to protect their businesses all day, every day.

For more information about us, visit Lyrical's website at

We encourage people from underrepresented groups to apply. In keeping with our values, no employee or applicant will face discrimination/harassment based on race, color, ancestry, national origin, religion, age, gender, marital domestic partner status, sexual orientation, gender identity, disability status, or veteran status. Lyrical Security also strives to prevent other, subtler forms of inappropriate behavior from ever gaining a foothold in our organization. Whether blatant or hidden, barriers to success have no place at Lyrical Security.